What your business needs to know to be GDPR compliant

As of 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect, an act that’ll have significant implications for small businesses across the UK, throughout Europe, and the rest of the world.

Businesses of all sizes will have to be legally compliant with the GDPR and its regulations regarding the secure collection, storage and use of personal information.

In this article, we’ll discuss the GDPR’s key features, the effects it’s likely to have on businesses across the UK, what you can do to prepare for the changes, and review a few misconceptions.

Key objectives of the GDPR

In simple terms, the GDPR has been introduced as a means to encourage businesses across the EU to consider their personal data and data protection in a more serious manner. It applies to any and all companies processing and holding the personal data of individuals living in the European Union, regardless of the company’s location.

Today, we function as part of an increasingly data-driven world, one completely different from when the Data Protection Directive was established in 1995. The GDPR aims to update the protection of personal data for the modern world.

As part of its legislation, the GDPR comprises two objectives:

Give citizens and residents control of their personal data to protect and empower them.

Simplify the regulatory environment for international businesses by unifying the regulation within the EU.

Effects on UK businesses:

When implemented, the GDPR applies to businesses that fall into two categories: controllers and processors. Controllers dictate how and why personal data is processed, while processors act on behalf of controllers, e.g. an external payroll service provider.

In effect, the GDPR places stringent legal obligations on both. Processors are required to maintain records of personal data and processing activities, while controllers’ contracts with processors need to be in line with the new legislation brought by the GDPR.

Elsewhere, the conditions for consent have been bolstered. As a result, companies will be forbidden from using long, illegible terms and conditions packed with confusing legalese. Requests for consent must be provided in a clear, intelligible manner that uses plain language.

Failure to comply is considered a major breach, with fines of up €20m, or 4% of the total annual global turnover for the previous year (whichever is greater) being placed on businesses who forego compliance.

How UK businesses can prepare:

Since the requirements for businesses to be GDPR-compliant are so stringent, there are a few things you should consider doing before the directive is put in place next year.

Appoint a data protection officer

Some businesses will be required to hire a data protection officer, including public authorities and those whose activities require regular data monitoring. We’ll further discuss the appointment of data protection officers in our misconception section.

Be selective in what data you need to keep

Superfluous data may cause more of a headache in the long run, so be mindful of any data you’re storing that isn’t being used. GDPR will minimise the collection of data that isn’t used in any meaningful way, resulting in a more focused, disciplined treatment of personal data.

Review your documentation

As mentioned earlier, consent will strengthen under the GDPR, so implied consent may not be acceptable anymore. Individuals must make their consent to the handling of their data explicit – review your privacy statements and disclosures, as well as third-party contracts, making the appropriate adjustments if necessary.

Create an audit trail

When developing new processes and practices to adhere to the GDPR, the creation of clear audit trails can help protect your business. Demonstrating your intent to meet all guidelines, and showcasing how you are accommodating the changes through a comprehensive audit trail can reduce chances you’ll fall foul of regulation changes.

Protect your privacy

Put measures such as privacy impact assessments in place, as these help to assess the risks to privacy and how to minimise them by creating more efficient and effective processes for handling personal data.

Prepare yourself for data breaches

Ensure that your business has the correct training and systems in place in order to effectively deal with any data breaches that may occur. Take quick action (within 72 hours) and notify the appropriate authorities in the event this does happen, and if you’re outsourcing, you need to make sure the service provider has these security measures in place too.

GDPR Misconceptions:

A few misconceptions have arisen as a result of the GDPR coming into effect. Here, we’ll discuss some of the more common myths surrounding the implementation of the directive.

A Data Protection Officer is absolutely mandatory

There’s an implication from some advisers that all organisations must employ a Data Protection Officer (DPO). This isn’t technically true. Rather than the size of a company being the main determiner, it’s the type of data processing that determines the necessity of a DPO.

DPOs must be appointed if your business is a public authority, is involved with large-scale systematic monitoring or engages in the large-scale processing of sensitive personal data. What is considered large scale is down to your own interpretation. In this case, legal advice should be sought.

Companies with fewer than 250 employees are exempt

Another myth, but one that’s not without basis in fact. Article 30 allows for concessions towards companies of this size if they’re involved in processing activities.

Businesses that have maintained a record of processing activities featuring the name and contact details of the controller, the reason for processing, a description of the personal data, and how long the data will be kept before deleting will be exempt from the regulations.

GDPR only applies to companies based in EU nations

With Britain preparing to leave the EU, some companies are operating under the impression they may be exempt from the GDPR. However, Britain is set to opt in to the GDPR, and furthermore, the regulation applies to all businesses which deal with the data of European citizens – regardless of the business’ home nation.

Work contact details are not personal information

The use of the word ‘personal’ has led some to believe that work-based information is exempt from the GDPR. This is not necessarily true - according to the definition in the Data Protection Act, ‘personal data’ refers to information related to an individual which has been stored using data collection equipment or filing systems. This means that work-based information – such as professional contact details – can be considered personal information.

GDPR doesn’t apply to existing data

Any existing consents which are valid under the current Directive but do not meet the requirements of the GDPR, will have to be re-obtained. Businesses should not rely on legacy consents, and should be pro-active in meeting the new regulations.

For more of the latest news, articles and features from Gazprom Energy, visit our blog and newsfeed. Alternatively, visit the homepage to find out more about our business energy solutions, or call us on 0845 230 0011.

The views, opinions and positions expressed within this article are those of our third-party content providers alone and do not represent those of Gazprom Energy. The accuracy, completeness and validity of any statements made within this article are not guaranteed. Gazprom Energy accepts no liability for any errors, omissions or representations.